easyrsa build-client-full: /etc/openvpn/pki/openssl-easyrsa.cnf: No such file or directory

[ebarault]

hi @kylemanna,

After your last docker image build (trigger by this unrelated commit on the Readme file) the easyrsa build-client-full command does not work anymore:

$ docker exec -it ovpn easyrsa build-client-full ebarault nopass

sed: /etc/openvpn/pki/openssl-easyrsa.cnf: No such file or directory
Easy-RSA error: Failed to update /etc/openvpn/pki/safessl-easyrsa.cnf

Sticking to kylemanna/openvpn:2.4 did it for us

cc: @krezreb

[faxmaster]

Hello! First thanks for this image which has worked flawlessly until now!. I have the same problem using latest master... Unable to create new client certs or revoke certs. As I have aarch64 architecture that isn't built on docker hub, I'm unable to build a functioning image now... Must be an update of Easyrsa that's causing the problem.

[faxmaster]

Regenerating all pki certificates (with ovpn_initpki) solved it for me. The problem seems to come from easyrsa update from 3.0.5 to 3.0.6 which broke compatibility with previously generated certificates (see OpenVPN/easy-rsa#259)

[bwindsor]

Just for information, https://github.com/JenswBE/wolverine/commit/59a6cb6aa226e3c40a3c3a56a841dc83e322d037 change to use the old image kylemanna/openvpn:2.4 fixed this problem for me.

[exNewbie]

I fell into this issue and found workaround. The good point is that I didn't need to downgrade to version 2.4.

First thing first, you need to log in to the VPN container.

2 workarounds are

• In order to satisfy easy-rsa, you need to create new folders (referred to this link)

cd /etc/openvpn/pki/
mkdir revoked; chmod 700 revoked/
cd revoked/
mkdir certs_by_serial; mkdir private_by_serial; mkdir reqs_by_serial; chmod 700 *

cd /etc/openvpn/pki/
cp -R revoked/ renewed

• Copy the missing openssl-easyrsa.cnf

cp -a /usr/share/easy-rsa/openssl-easyrsa.cnf /etc/openvpn/pki/

You should be able to add/remove client now.